Joakim Hvalby
Program Manager Information Security
Article   December 14 2022

GDPR tip 2: Keep marketing within agreed limits

The fact that GDPR was introduced in 2018 doesn’t mean that all organizations comply with it. A common mistake is that many organizations a bit into a project, or at the launch of a new product, come to the conclusion that it would be good to reach out with new information. We must always make sure to use the data within the limits for which we have obtained permission. And to be clear when the limits are set up. Joakim Hvalby, Program Manager Information Security at Junglemap writes in one of four articles with tips regarding GDPR.

GDPR tip 2: Keep marketing within agreed limits

Foto: License Free

"This is an exciting product. Let's send out information about this to all previous customers!" A spirited marketing idea that many of us probably recognize.  

But the guidelines of the responsible authorities are clear: Personal data may only be collected for "specific, explicit and legitimate purposes".  This means that in each project we need to be clear about why, to what and for how long we should process personal data.  

In addition, the objectives must be specific and concrete, not vague or unclear. It’s not enough that the aim is solely to "improve the user experience", "cyber security" or "future research". It’s too broadly expressed, and the data subjects cannot assess what such personal data processing may entail. It’s also not enough to specify "controls" as the purpose of logging and monitoring, but also to indicate the purpose of the control.  

The purpose must also be justified. This means that the processing of personal data must have a legal basis in the General Data Protection Regulation and must be carried out in accordance with other applicable legislation and general legal principles. 

Process collected personal data in new ways?  

Of course, it’s difficult to think of all possible scenarios at the beginning of a project where personal data is collected. Often, needs appear that were difficult to predict.  

If the new needs fit within the original purposes, it’s sufficient to inform the data subjects about the new personal data processing before it begins. 

If, on the other hand, it’s a question of using the personal data in a new way, a new consent to personal data processing has to be given. Then we have to start from scratch and find a legal basis for the processing of personal data, making sure that it takes place in accordance with the basic principles and so on... 

After five years with GDPR, this is something that we really should know, but often still forget.   

We have now launched the 2023 version of GDPR and Privacy Protection where we use NanoLearning as a method to create awareness every day of the year. Because in the end, functioning privacy protection also depends on us as users actually thinking and acting with the protection of personal privacy as part of our business. That we carefully formulate the purposes of collecting personal data. And that we are clear in our communication. 

Joakim Hvalby Program Manager Information Security
Article   December 14 2022